Forem: Jean-Marc Strauven

How I built nis2you with Laravel 12 + Livewire 3 — a NIS2 compliance SaaS for European SMEs

Jean-Marc Strauven — Tue, 05 May 2026 19:12:08 +0000

The problem nobody wants to deal with

Late 2024, the EU's NIS2 directive started biting. Thousands of mid-sized European companies that never thought of themselves as "critical infrastructure" suddenly found themselves in scope: manufacturers, logistics providers, MSPs, mid-tier SaaS vendors. The directive itself is broad, the national transpositions vary, but the practical question on the ground is the same everywhere: where do we even start?

If you're a 60-person Belgian manufacturer, you don't have a CISO. You probably don't have a dedicated security analyst either. You have an IT manager already wearing three hats, and now they need to deliver a risk assessment, an incident response plan, and a board-level reporting framework — against a deadline that has already passed in some Member States.

The big consultancies will gladly sell you a six-figure engagement. The big GRC platforms (OneTrust, ServiceNow IRM and friends) are priced for enterprise procurement teams, not SMEs. Between "expensive consultant" and "ignore the problem and hope you don't get audited," there is a gap. That gap is where I've been building for the last few months.

Why Laravel 12 + Livewire 3 (and what I rejected)

I'm a long-time Laravel developer. I maintain a few open-source packages under the Grazulex namespace, so the framework choice was never really up for debate — but I want to walk through why Laravel 12 + Livewire 3 holds up specifically for a regulated B2B SaaS with a single founder-developer.

The stack:

Laravel 12 — backend. Eloquent, queues, policies, broadcasting, the whole thing.
Livewire 3 — server-rendered reactivity. No SPA, no separate API, no client-side state to keep in sync.
Filament 3 — internal admin panel. Tenants, audits, support tickets, billing.
Tailwind CSS — styling.
MySQL 8 — primary store. Postgres would have been fine; hosting defaults pushed MySQL.
Laravel Horizon — dashboard for the async work (PDF generation, scheduled assessments, email).

Two stacks I seriously considered and dropped:

Laravel + Inertia + Vue. I like Inertia, but the moment you cross into Vue components you need build tooling, type definitions, and a parallel mental model. For a solo dev shipping fast, that's a tax with no matching benefit.
Next.js + Supabase. Fashionable, fast to prototype, painful for compliance work. Row-level security in Postgres is great — until you need a deep audit trail with field-level diff history and predictable, framework-native authorization. I wanted Laravel's policy + Eloquent observers ecosystem.

Livewire 3 in 2026 is genuinely good. The wire:model improvements, morph-based DOM diffing, and Alpine.js integration mean I can build a multi-step risk assessment wizard with conditional fields, validation, and live progress indicators — without writing a single line of dedicated JavaScript.

Four technical decisions worth talking about

1. State machines, hardcoded — not configurable

Every compliance object in nis2you (assessments, incidents, audits, action plans) goes through a defined lifecycle: draft → in_review → validated → published → archived. Early on, I was tempted to make this configurable per tenant. "Some clients might want a different workflow."

I didn't, and I'm glad I didn't. Configurable workflows mean a workflow engine, which means YAML files, which means a UI to edit them, which means support tickets when someone breaks the YAML. For a single-developer SaaS, hardcoded states with transition guards in plain PHP are dramatically simpler:

final class AssessmentState
{
    public const DRAFT      = 'draft';
    public const IN_REVIEW  = 'in_review';
    public const VALIDATED  = 'validated';
    public const PUBLISHED  = 'published';
    public const ARCHIVED   = 'archived';

    public static function canTransition(string $from, string $to): bool
    {
        return match ($from) {
            self::DRAFT      => in_array($to, [self::IN_REVIEW, self::ARCHIVED]),
            self::IN_REVIEW  => in_array($to, [self::DRAFT, self::VALIDATED]),
            self::VALIDATED  => in_array($to, [self::PUBLISHED, self::IN_REVIEW]),
            self::PUBLISHED  => $to === self::ARCHIVED,
            self::ARCHIVED   => false,
            default          => false,
        };
    }
}

Combined with an Eloquent observer that throws on illegal transitions, this is ~80 lines of code replacing what would be a 2,000-line workflow engine. If a tenant ever genuinely needs a different workflow, that's a one-on-one conversation, not a config screen.

2. PDF generation via DomPDF, queued through Horizon

NIS2 deliverables are documents. Risk assessments, incident reports, supplier inventories — at some point, somebody needs a signed PDF. PDF generation in PHP is slow and memory-heavy. Doing it inline kills the request.

The setup: a Blade template renders the document, DomPDF turns it into a PDF, the whole thing runs as a queued job, and Livewire listens for completion:

final class GenerateAssessmentPdf implements ShouldQueue
{
    public function __construct(public Assessment $assessment) {}

    public function handle(): void
    {
        $html = view('pdf.assessment', [
            'assessment' => $this->assessment,
        ])->render();

        $pdf = Pdf::loadHTML($html)->setPaper('a4');

        Storage::disk('s3')->put(
            "tenants/{$this->assessment->tenant_id}/assessments/{$this->assessment->id}.pdf",
            $pdf->output()
        );

        $this->assessment->update(['pdf_generated_at' => now()]);

        AssessmentPdfReady::dispatch($this->assessment);
    }
}

Horizon gives me retries, failure tracking, and a real-time dashboard. The Livewire component listens for AssessmentPdfReady and updates the UI without a refresh. Users see "generating..." → "ready, click to download" without ever holding a long-running HTTP request open.

3. Audit trail via Spatie ActivityLog — extended for field-level diffs

The default spatie/laravel-activitylog package logs creates / updates / deletes per model. For NIS2, that's not enough. Auditors want to know which field changed, who changed it, and what the previous value was. Two-year retention is the practical baseline.

I extended the default with a small Auditable trait, applied to every auditable model:

trait Auditable
{
    public function getActivitylogOptions(): LogOptions
    {
        return LogOptions::defaults()
            ->logFillable()
            ->logOnlyDirty()
            ->dontSubmitEmptyLogs()
            ->setDescriptionForEvent(
                fn (string $event) => "{$this->getMorphClass()}.{$event}"
            );
    }

    public function tapActivity(Activity $activity, string $event): void
    {
        $activity->properties = $activity->properties->merge([
            'tenant_id' => $this->tenant_id ?? null,
            'ip'        => request()?->ip(),
            'user_id'   => auth()->id(),
        ]);
    }
}

The activity log lives in a dedicated table partitioned monthly. Partitions older than twelve months get archived to S3. This was the single highest-ROI piece of plumbing in the whole app — auditors love it, and it has already answered "did the user actually approve this?" three times in beta.

4. Multi-tenancy: column-scoped now, schema-per-tenant on the V1.5 roadmap

Every tenant-bound model has a tenant_id. Global scopes apply automatically based on the authenticated session. It's the simplest possible model, and it works perfectly at current scale.

I deliberately did not ship schema-per-tenant in V1. The argument for it (hard data isolation, easier per-customer backups) is real but premature for a pre-revenue product. When a regulated customer eventually pushes for true schema isolation, V1.5 will introduce it via stancl/tenancy. Until then, column scoping plus exhaustive Pest tests on every policy is enough — and it keeps the operational story simple.

Three honest lessons

1. Filament saved me at least four weeks. I almost built a custom admin panel "because Filament might be limiting." It isn't. The internal panel for managing tenants, support tickets, and audit reviews took a weekend with Filament. A custom build would have eaten the entire month of February.

2. Livewire's gotchas are still real. Specifically: large arrays bound through wire:model cause noticeable hydration cost. I learned to flatten complex nested structures and to lift heavy state to the server through explicit method calls rather than blanket two-way binding. The "drop-in reactivity" promise has a ceiling — and you need to know where it is before a user complains the wizard feels sluggish.

3. Compliance UX is its own discipline. Devs love forms; compliance officers tolerate them. The single biggest UX investment was a "guided assessment" mode that walks the user question-by-question, with context, examples, and an explicit skip for now button. Completion rate tripled the week I shipped it. The lesson: in regulated B2B, the form is the product.

Closing

nis2you is live in private beta with a handful of Belgian SMEs and consultants. The stack — Laravel 12, Livewire 3, Filament, Horizon — is unglamorous, productive, and cheap to operate. If you're shipping a regulated B2B SaaS as a solo developer, I cannot recommend it strongly enough.

Genuinely curious what stack you'd reach for in this domain — drop a comment with the trade-offs you'd weigh differently. And if NIS2 happens to be on your customers' radar, nis2you.com is where the work lives.

Written by Jean-Marc Strauven — Belgian Laravel dev, maintainer of the Grazulex packages.

I Built a Task Manager for the AI Coding Era (and It's Just Markdown Files)

Jean-Marc Strauven — Fri, 07 Nov 2025 11:47:59 +0000

The Problem: Task Managers Weren't Built for AI Collaboration

I've been coding professionally for over 15 years, working with everything from Laravel to complex enterprise systems. Recently, like many developers, I've started "vibe coding" with AI assistants like Claude and ChatGPT. It's transformed how I work.

But here's the thing: traditional task managers don't understand this new workflow.

When I'm working with an AI assistant, I need separate spaces for:

My personal task breakdown and thinking
The AI's planning and approach
Documentation that the AI generates
Self-review notes from the AI

Tools like Todoist, Trello, or Linear force everything into the same bucket. It becomes messy fast. Plus, they're cloud-dependent, use proprietary formats, and treat AI as an afterthought.

The Solution: BackMark

I built BackMark to solve this exact problem. It's a CLI task manager with one core principle: your tasks are just Markdown files.

Why Markdown?

---
title: "Implement user authentication"
status: "in_progress"
priority: "high"
tags: ["backend", "security"]
---

## Description
Build JWT-based authentication system with refresh tokens.

## AI Plan
- Set up Laravel Sanctum
- Create user migration and model
- Build auth controllers
- Write tests

## AI Notes
Using Sanctum instead of Passport for simpler token management.

That's it. A plain .md file with YAML frontmatter. You can:

Edit it in any text editor
Track it with Git
Read it in 50 years
Own it forever (no vendor lock-in)

AI-First Design

BackMark treats AI as a first-class team member with four dedicated spaces:

ai_plan - Where your AI assistant outlines its approach
ai_notes - Working notes and decision rationale
ai_documentation - Generated docs and explanations
ai_review - Self-review and validation checks

This keeps human thinking and AI planning beautifully separated.

Blazing Fast Performance

When my task list grew past 1,000 items, I needed speed. I integrated LokiJS for in-memory indexing:

$ backmark list --tag backend
⚡ Found 247 tasks in 8ms

$ backmark search "authentication"
⚡ 12 matches in 6ms

That's 50-250x faster than scanning files directly. Sub-10ms queries on large collections.

Beautiful CLI Experience

I wanted the CLI to feel delightful, not like a chore:

$ backmark board

┌─────────────────────────────────────────────────┐
│  📋 TODO (23)    🚧 IN PROGRESS (5)    ✅ DONE  │
├─────────────────────────────────────────────────┤
│  • Fix login bug  │  • User dashboard  │  • Tests│
│  • Add logging    │  • API endpoints   │  • Docs │
│  • Update deps    │  • Database        │         │
└─────────────────────────────────────────────────┘

Features include:

Colorful, readable output
Interactive Kanban board
Fuzzy search
Smart prompts and autocomplete
Task complexity estimation
AI-powered task breakdown

The Philosophy: Privacy & Ownership

BackMark is 100% offline. No cloud sync, no accounts, no telemetry. Your data never leaves your machine.

In an era where every tool wants to:

Store your data in their cloud
Charge monthly subscriptions
Lock you into their ecosystem

BackMark is refreshingly simple: local Markdown files you completely own.

Real-World Usage

Here's my typical workflow:

Create a task: backmark add "Build payment integration"
Let Claude plan it in the ai_plan section
Work through it, updating status as I go
Have Claude document in ai_documentation
Review with Claude adding notes to ai_review

Everything stays organized, nothing gets lost, and I have a perfect audit trail in Git.

Technical Highlights

For the developers curious about the stack:

Node.js - Cross-platform CLI
LokiJS - In-memory indexing for speed
Commander.js - CLI framework
Chalk - Colorful terminal output
100% TypeScript - Type safety throughout

The architecture is simple: watch Markdown files, index with LokiJS, provide fast queries. No databases, no complexity.

Getting Started

npm install -g backmark

# Initialize in your project
backmark init

# Create your first task
backmark add "My first task"

# View your board
backmark board

Check out the documentation for more.

Why I Built This

I'm a Chapter Lead at BNP Paribas Fortis and maintain several open-source Laravel packages. I've tried every productivity tool out there. But when AI became part of my daily coding workflow, nothing fit.

BackMark is the tool I wish existed when I started vibe coding. It's built by a developer, for developers, with a deep respect for:

Your data ownership
Your privacy
Your freedom from vendor lock-in
Your time (hence the speed)

What's Next?

I'm planning to add:

Better Git integration (auto-commit task changes)
Time tracking features
Integration with popular AI coding tools
Team collaboration (still 100% local, using Git)

If you're coding with AI assistants and feeling the pain of messy task management, give BackMark a try. It's free, open-source, and built for exactly this use case.

Links:

Website: backmark.tech
GitHub: Star the repo
Product Hunt: Support the launch

What do you think? Are you using AI assistants in your daily coding? How do you manage tasks in this new workflow? Drop a comment below! 👇

P.S. - If you enjoyed this article, follow me for more insights on Laravel development, AI-assisted coding, and building developer tools.